Method and system of application-aware routing with crowdsourcing

ABSTRACT

In one aspect, a computerized method of an application routing service includes the step of using a deep-packet inspection (DPI) technique on a first network flow to identify an application. The method includes the step of storing an Internet-protocol (IP) address and a port number used by the application and an identity of the application in a database. The method includes the step of detecting a second network flow. The method includes the step of identifying the IP address and the port number of the application in the second network flow. The method includes the step of looking up the IP address and the port number in the database. The method includes the step of identifying the application based on the IP address and the port number.

CROSS REFERENCE TO RELATED CLAIM OF BENEFIT TO PRIOR APPLICATIONS

This application is a continuation of U.S. patent application Ser. No. 15/407,767, filed Jan. 17, 2017, now published as U.S. Patent Publication 2017/0126564. U.S. patent application Ser. No. 15/407,767 claims priority and is a continuation-in-part of U.S. patent application Ser. No. 15/097,282, filed on Apr. 12, 2016, now issued as U.S. Pat. No. 10,135,789. U.S. patent application Ser. No. 15/097,282 claims priority from U.S. Provisional Patent Application No. 62/146,786, filed Apr. 13, 2015. U.S. patent application Ser. No. 15/407,767 is hereby incorporated by reference in its entirety.

FIELD OF THE INVENTION

This application relates generally to computer networking, and more specifically to a system, article of manufacture and method of establishing a cloud-based multipath routing protocol.

DESCRIPTION OF THE RELATED ART

Deep-packet inspection (DPI) can be used to identify an application is inside a data flow. For example, a voice-call service (e.g. Skype®, etc.) application can be executed. Various routing decisions can be implemented based on the identity of the application. However, a DPI engine may not be able to identify the voice-call service application from the first packet. For example, this can be a TCP send to set up a connection. If a networking system wishes to make a routing decision (e.g. use a specific wide-area network (WAN) link for a Skype® call, etc.), it may not be able to do so on the first packet. The decision must wait until after the until the voice-call service protocol starts passing back and forth and the DPI engine identifies the voice-call service application signature. Accordingly, improvements to application-aware routing are desired.

BRIEF SUMMARY OF THE INVENTION

In one aspect, a computerized method of an application routing service includes the step of using a deep-packet inspection (DPI) technique on a first network flow to identify an application. The method includes the step of storing an Internet-protocol (IP) address and a port number used by the application and an identity of the application in a database. The method includes the step of detecting a second network flow. The method includes the step of identifying the IP address and the port number of the application in the second network flow. The method includes the step of looking up the IP address and the port number in the database. The method includes the step of identifying the application based on the IP address and the port number.

In another aspect, A computerized method useful for implementing an application routing service includes the step of extracting from a data packet of a network flow a layer three (3) information and a layer four (4) information. The method includes the step of querying a local application routing cache to obtain an application name based on the layer three (3) information and the layer four (4) information. The method includes the step of providing a routing decision based on the application name.

In yet another aspect, a computerized method useful for implementing an application routing service includes, with an edge device, using deep-packet inspection (DPI) to identify a network flow, wherein the network flow is identified with an internet protocol (IP) identity and a port number of the network flow. The edge device stores the IP identity and the port number of the network flow in a local application routing database. The edge device reports the IP identity and the port number to a specified Orchestrator. Another edge device requests the IP identity and the port number from the specified Orchestrator. The other edge device receives the IP identity and the port number from the specified Orchestrator. The other edge device identifies an application in another network flow using the IP identity and the port number.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an example self-healing network with redundant gateways, according to some embodiments.

FIG. 2 illustrates an example system that includes autonomous gateways, according to some embodiments

FIG. 3 illustrates an example of a system of an instant VPN, according to some embodiments.

FIG. 4 illustrates another example of a system of an instant VPN, according to some embodiments.

FIGS. 5 A-B illustrates an example of a system of a cloud multipath to an Internet endpoint, according to some embodiments.

FIG. 6 illustrates an example process of an application-aware routing, according to some embodiments.

FIG. 7 illustrates another example process of an application-aware routing, according to some embodiments.

FIG. 8 illustrates application-aware routing with crowdsourcing, according to some embodiments.

FIG. 9 depicts an exemplary computing system that can be configured to perform any one of the processes provided herein.

The Figures described above are a representative set, and are not exhaustive with respect to embodying the invention.

DESCRIPTION

Disclosed are a system, method, and article of manufacture for application-aware routing with crowdsourcing. The following description is presented to enable a person of ordinary skill in the art to make and use the various embodiments. Descriptions of specific devices, techniques, and applications are provided only as examples. Various modifications to the examples described herein can be readily apparent to those of ordinary skill in the art, and the general principles defined herein may be applied to other examples and applications without departing from the spirit and scope of the various embodiments.

Reference throughout this specification to “one embodiment,” “an embodiment,” ‘one example,’ or similar language means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrases “in one embodiment,” “in an embodiment,” and similar language throughout this specification may, but do not necessarily, all refer to the same embodiment.

Furthermore, the described features, structures, or characteristics of the invention may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided, such as examples of programming, software modules, user selections, network transactions, database queries, database structures, hardware modules, hardware circuits, hardware chips, etc., to provide a thorough understanding of embodiments of the invention. One skilled in the relevant art can recognize, however, that the invention may be practiced without one or more of the specific details, or with other methods, components, materials, and so forth. In other instances, well-known structures, materials, or operations are not shown or described in detail to avoid obscuring aspects of the invention.

The schematic flow chart diagrams included herein are generally set forth as logical flow chart diagrams. As such, the depicted order and labeled steps are indicative of one embodiment of the presented method. Other steps and methods may be conceived that are equivalent in function, logic, or effect to one or more steps, or portions thereof, of the illustrated method. Additionally, the format and symbols employed are provided to explain the logical steps of the method and are understood not to limit the scope of the method. Although various arrow types and line types may be employed in the flow chart diagrams, and they are understood not to limit the scope of the corresponding method. Indeed, some arrows or other connectors may be used to indicate only the logical flow of the method. For instance, an arrow may indicate a waiting or monitoring period of unspecified duration between enumerated steps of the depicted method. Additionally, the order in which a particular method occurs may or may not strictly adhere to the order of the corresponding steps shown.

Definitions

Example definitions for some embodiments are now provided.

Cloud computing can involve deploying groups of remote servers and/or software networks that allow centralized data storage and online access to computer services or resources. These groups of remote servers and/or software networks can be a collection of remote computing services.

Cloud Edge (CE) can include a cloud multipath to an Internet endpoint.

Customer-premises equipment (CPE) can be any terminal and associated equipment located at a subscriber's premises and connected with a carrier's telecommunication channel at the demarcation point.

Edge device can be a device that provides an entry point into enterprise or service provider core networks. An edge device can be software running in a virtual machine (VM) located in a branch office and/or customer premises.

Flow can be a grouping of packets that match a five (5) tuple which is a combination of Source IP Address (SIP), Destination IP Address (DIP), L4 Source Port (SPORT) and L4 Destination Port (DPORT) and the L4 protocol (PROTO).

Forward error correction (FEC) (e.g. channel coding) can be a technique used for controlling errors in data transmission over unreliable or noisy communication channels.

Deep learning can be a type of machine learning based on a set of algorithms that attempt to model high-level abstractions in data by using model architectures, with complex structures or otherwise, composed of multiple non-linear transformations

Deep Packet Inspection (DPI) can be the ability to analyze the different layers of a packet on the network.

Gateway can be a node (e.g. a router) on a computer network that serves as an access point to another network.

Internet Protocol Security (IPsec) can be a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.

Multipath routing can be a routing technique of using multiple alternative paths through a network.

Multilink bundle can be a collection of simultaneously opened bandwidth channels that are coherently and logically controlled by preset commands.

Multiprotocol Label Switching (MPLS) can be a mechanism in telecommunications networks that directs data from one network node to the next based on short path labels rather than long network addresses, thus avoiding complex lookups in a routing table.

Orchestrator can include a software component that provides multi-tenant and role based centralized configuration management and visibility.

Quality of Service (QoS) can include the ability to define a guaranteed set of actions such as routing, resource constraints (e.g. bandwidth, latency etc.).

Session can be a semi-permanent interactive information interchange between two or more communicating devices.

Software as a service (SaaS) can be a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted.

Tunneling protocol can allow a network user to access or provide a network service that the underlying network does not support or provide directly.

Virtual Desktop Infrastructure (VDI) is a desktop-oriented service that hosts user desktop environments on remote servers and/or blade PCs. Users access the desktops over a network using a remote display protocol.

Virtual private network (VPN) can extend a private network across a public network, such as the Internet. It can enable users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network, and thus benefit from the functionality, security and management policies of the private network.

Voice over IP (VoIP) can a methodology and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet.

Additional example definitions are provided herein.

Scalable, Self-Healing Network Cloud Service for Branch Networking

FIG. 1 illustrates an example self-healing network 100 with redundant gateways, according to some embodiments. In network 100, data traffic can be routed to different gateways for different purposes. Multiple gateways can serve the same destination utilizing dynamic routing protocol. As services (e.g. SaaS 102) in the Internet (e.g. computer networks 104) may not centrally located. The combination of the Internet's wide distribution of services and/or changes in the transport quality across can lead to the use of different egress points to access different destinations. This is accomplished by deploying multiple gateways (e.g. gateways A-B 106-108) in stand-alone or redundant configurations.

An Orchestrator can inform each edge device (e.g. VCE 110) of a list of gateways it has been assigned. Additionally, routes and/or services can be assigned a subset of the gateway list that can be used for communication with a specific destination. The edge device can then perform a static determination by metrics assigned to each gateway. For example, each gateway can be assigned a metric based on geographic distance from the edge and/or a dynamic determination based on empirically measured loss, latency and/or jitter to the gateway across the Internet.

In the redundant configuration of FIG. 1, gateways A-B 106-108 can support dynamic routing protocols on the non-edge device side. This can ensure that the gateway chosen for traffic destined from the edge to the gateway is also advertised from the gateway upstream as the route with the lowest cost for return traffic. Various attributes of gateways are now discussed.

FIG. 2 illustrates an example system 200 that includes autonomous gateways, according to some embodiments. Gateway High Availability (HA) and horizontal scalability can be inherent as configuration is edge-driven and not configured on gateway 204. Edge tunnel initialization can configure, gateway 204. Edge devices 208 A-B can communicate QoS information to gateway 204 so they have information on how to treat network traffic. Implementing versioning in the flow header can ensures that gateway 204 have the correct QoS information. This is accomplished by creating flows with a version number of one (1) on the edge and incrementing this version every time a policy change is enacted on the edge. If the gateway receives a message with a higher than expected version number in the header, it will request the edge to send the updated policy information.

It is noted that each individual gateway is a self-contained autonomous entity. This is accomplished by driving configuration of gateway 204 through the edge devices 208 A-B rather than gateway 204 being directly configured by the Orchestrator. In the initial negotiation, edge devices 208 A-B can send an MP_INIT message (e.g. an initial MP tunnel establishment handshake message exchange between the edge device and the gateway device) which contains all the information needed to identify the edge device and serve as a secure and unsecure gateway for edge device traffic. This can include a logical identifier for the enterprise which is used for virtual routing and/or forwarding. The logical Identifier can also be used for subnets that are routable behind edge devices 208 A-B.

If edge devices 208 A-B is the first edge device belonging to the enterprise to connect to gateway 204, a new virtual routing and forwarding (VRF) table can be created for the enterprise. Edge devices 208 A-B's subnets can be inserted into the enterprise VRF. If edge devices 208 A-B are not the first from an enterprise to connect, the enterprise logical identifier can be used to index into the existing VRF and edge devices 208 A-B's subnets can be added to the existing table.

In another example, when a new flow is created on an edge device, the parameters used to perform QoS and/or routing on the flow can be transmitted along with the first packet to any of the gateway 204 that are handling the flow. In this manner gateway 204 can be inherently highly available. If the gateway service is removed and replaced with a new gateway service instance, edge devices 208 A-B can send a new MP_INIT which can recreate the VRF and then continue sending data traffic uninterrupted through the gateway.

By this same token, gateway 204 can be highly available because the edge can switch between gateways without interrupting customer traffic. For example, when an Orchestrator inserts an additional gateway in a gateway list that can be assigned an edge device. The edge device can then connect and begin using the gateway seamlessly without any requirement for Orchestrator to gateway communication. This removes the need for the Orchestrator to synchronize configuration changes on the edge device and the gateway as the edge device is used as the intermediary.

In another example, a gateway need not be a single gateway instance but the Internet Protocol (IP) address may be the external facing IP address of a gateway load balancer. The gateway load balancer can start and stop individual gateway instances. If the gateway load balancers detect that an instance is near its CPU and/or throughput capacity, it can shift traffic to an alternate gateway transparently and/or create a new gateway and begin steering connections to it. When gateway reboots, upgrades or maintenance are required, the gateway load balancer can steer traffic away from those instances that require maintenance to make these operations transparent to the end user.

FIG. 3 illustrates an example of a system 300 of an instant VPN, according to some embodiments. The edge device (e.g. edge devices 306-310) and gateway 304 can automatically negotiate IPsec tunnels alongside their unsecure Velocloud Multipath Protocol (VCMP) tunnels in preparation for the transmission of secure traffic. This can be performed irrespective of whether or not a VPN has been enabled on the device. In this manner, the network can be prepared to transmit secure traffic at any time. Leveraging this, an “Instant VPN” can be delivered by toggling VPN on or off on Orchestrator 302. Each edge device has a list of local subnets that are sent to gateway 304 during MP_INIT. Each subnet is can include an indication of whether or not it is reachable over VPN. When VPN is enabled on Orchestrator 302, each edge device can be informed that its subnets are reachable over VPN and each edge device can update its gateways with this information. When VPN is disabled on Orchestrator 302, each edge device can be informed that its subnets are not reachable over VPN. The edge device can update gateway 304 accordingly.

Between each edge device and its associated gateways can be a routing protocol. The routing protocol can relay state information to peers that are one hop away. For example, edge device A 306 can have a subnet A. Edge device B 308 can have subnet B. When the user enables VPN on Orchestrator 302, edge device A 306 and edge device B 308 can inform the gateways that their local subnets A and B are reachable over VPN. The gateway(s) can then inform peers in the enterprise VRF. In this way, a message can be sent to edge device B 308 instructing it that subnet A is now reachable through it. A message can also be sent to edge device A 306 instructing it that subnet B is now reachable through it. When an edge device loses connectivity to a gateway, gateway 304 can relay to peers in the VRF that the subnet is no longer reachable and the edge device updates the routing/forwarding table to mark all routes via that unreachable gateway. In this way, gateways can be added or removed, and/or routes added and removed, without restarts and/or loss of connectivity assuming at least one gateway is connected at all times.

In some examples, “Always on” IPsec tunnels can be provided. Enable/disable VPN operations can include the insertion and/or removal of routes for the appropriate VPN zone. VRF can include enterprise logical identifier on gateway ensuring multi-tenancy.

FIG. 4 illustrates another example of a system 400 of an instant VPN, according to some embodiments. A special edge device called a Datacenter Edge (DCE) 404 can be deployed as customer premise equipment. DCE 404 can be deployed in an enterprise data center, along with Orchestrator 402. DCE 404 can subsume some of the functionality of the gateway, including this route protocol management. A typical use case for this deployment can be in a pure MPLS network 406 in which there are no public Internet links and thus no public Internet gateways. In one example, route propagation can occur the same as described supra except that the VRF and routing protocol messages are managed by DCE 404. MPLS network 406 can connect with edge devices 408-412.

FIGS. 5 A-B illustrate an example of system 500 of a cloud-based multipath routing technique to an Internet endpoint (e.g. a cloud edge 516), according to some embodiments. Edge device 506 and gateway 518 can implement a multipath solution to deliver a reliable connection across the public Internet for outbound connections (e.g. between server 508 and client 502) initiated from the edge (e.g. edge device 506) through gateway 518, as well as for their return traffic. This can include multilink bundle(s). An alternate use case can include when the network traffic is initiated from an outside source. For example, the network traffic can be initiated from the Internet to server 508 in a branch office behind edge device 506.

In an example deployment, this can be Implemented by enabling a set of inbound firewall rules that allow network traffic in one or more of the wide area network (WAN) links attached to the edge device. Such an inbound connection can use a single link. For example, a session established on link A 510 may fail if link A 510 fails, and similarly for link B 512. Therefore, there is a desire to be able to support inbound connections reliably without compromising the security of the deployment.

This can be achieved by cloud edge (CE) device 516. CE 516 can be implemented in a cloud-computing environment. CE 516 can join the same VRF as that of edge device 506.

Edge device 506 can be used to accesses various resources (e.g. server 508) to be reliably accessed. In one example, edge device 506 can be set to deny inbound traffic by default. Edge device 506 can allow an administrator to specify various sources and destinations of traffic that are permitted (e.g. client 502).

For example, a rule could be created that enable the public IP address of a client 502 to reach server 508 via a public IP address 514. Public IP address 514 can be assigned to the “LAN” side of CE 516. The administrator can then connect to public IP address 514 in the cloud rather than the IP address of one of the links at the site directly. Client 502 can then securely connect over a VPN to server 508 inside the network. CE 516 can be located anywhere in the (e.g. public) Internet 504. In one example, CE 516 can be located in any of a public Cloud Service Providers (CSPs). For example, CE 516 can be implemented in a proprietary cloud-computing platform such as, inter alia, Amazon EC2® and the like. It is noted that resources from Server 508 may arrive via Link A 510 and/or Link B 512. Accordingly, this traffic can continue even if one of the links completely fails. In this way, system 500 can provide resiliency for the network as Link A 510 and/or Link B 512 can be used simultaneously and service can continue even if one of the links falls.

An intelligent edge device (e.g. edge device 506 of FIG. 5) can provide intelligent QoS. For example, applications may respond differently to key network parameters like latency, jitter, bandwidth, packet loss and processing capabilities such as available CPU cycles. For example, a VoIP application may use low bandwidth and may be sensitive to jitter, packet loss. The VoIP application may also consume a large number of CPU cycles despite the low throughput (e.g. because of smaller packet sizes). In contrast, VDI may use high bandwidth and low latency but may not very sensitive to jitter. Accordingly, a network stack can implement a suite of link optimization and remediation technologies to achieve the dual goal of optimal network resource utilization and remediating adverse network events, such as, inter alia: FEC to compensate for packet loss; jitter buffering to counter jitter; and per-packet load balancing to aggregate bandwidth usage and ensure the lowest latency path.

Smart QoS can map application flow into a traffic class and priority queue. A combination of the traffic class and priority queue can then decide the optimal routing, load balancing and remediation to be used for that flow given the prevailing network conditions at that point of time. The network stack can use the following innovations to adapt to dynamic network conditions:

In an intelligent default, the distributed management plane (e.g. an Orchestrator) sets up the edge device with a set of default QoS settings for each application. Each application can then be tagged with an SLA. The SLA can indicate a hint to the edge device for the prioritization and/or sensitivity for that particular application.

In an intelligent pre-emption, a multi-tenant, geo-diverse, network transport agnostic overlay network can be implemented. This can create a situation where the network can pre-empt adverse and/or localized network events by statistical and heuristics based analysis of the network monitoring data that is collected at the Orchestrator. This can remediate certain network conditions that are not addressed by adaptive QoS (e.g. tail drops which result in large number of packets dropped indiscriminately in the core of a service provider network) due to time taken to adapt and the fact that such a loss cannot be really compensated. In a geo-localized region, in the event of constant tail drops for a network service provider, the service can proactively turn on aggressive FEC (e.g. ‘always-on FEC’) for sensitive applications in both the specific geo-location. In one example, a slightly larger geography for sites that are using the same provider can be used in lieu of the specific geo-location. The ‘always-on FEC’ can also be configured at the Orchestrator in order to pre-empt network errors and react faster to network errors.

Adaptive QoS can be implemented by monitoring and/or instrumenting network paths. For example, adaptive QoS can be implemented to remediate a network condition that may not conform to the configured SLA for that application. To offset the overheads as a result of the continuous monitoring, the QoE (e.g. user responsiveness) can be periodically or constantly computed to reduce/augment the network monitoring.

Smart QoS can utilize deep learning methods. In addition to responding to dynamic network conditions, the smart QoS can work in tandem with application performance monitoring (APM) to adjust traffic priority based on L7 data. When the DPI engine fails to identify the application, the network stack can utilize statistical parameters (e.g. packet arrival rate, throughput) and heuristics (e.g. User Datagram Protocol (UDP) can be used by real-time applications) to identify the right set of technologies to provide the best performance.

A slow learning with crowdsourcing example is now discussed. Slow learning (e.g. to implement application-aware routing) with crowdsourcing methods can include generating a prepopulated list of well-known applications augmented by mid-flow detected data from a DPI engine. This can enable determination of an application with a first-received packet. Prepopulated data is automatically validated by a DPI engine. Any changes can be fed back locally as well as communicated to the Orchestrator. Some or all data can be shared to other edges/enterprises via the Orchestrator. In one example, L3, L4 network information can be used to create a composite application-routing database. As used herein, L3 network information can include network layer (layer 3) information. As used herein, L4 network information can include transport layer (layer 4) information. The application-routing database (e.g. a local application routing cache, etc.) can be populated by three different types of learning/sources. The first source of information built into the database can include a pre-populated map of DIP/DPORT (Destination Internet Protocol Address/Destination Port Number) to application types (e.g. termed fast learning). A second source of information can include a map of DIP/DPORT to applications that is learned from ‘mid-flow’ application detection by the DPI engine (e.g. slow learning). The third source of information can also include a map of DIP/DPORT to application names. This can include crowd-sourced (e.g. DIP/DPORT to application name mapping) information that is anonymized and aggregated at the Orchestrator. This mapping can then be shared across different enterprises (e.g. crowd-sourced learning).

Various methods of populating, updating and recovering the application-routing database are now provided. The application-routing database can be pre-populated with the set of known applications that can be identified by the DIP/DPORT and/or packaged as a part of the CPE. Alternatively, it can be downloaded from the Orchestrator. Additionally, an IT Administrator may enter customized DIP/DPORT to application mappings which can be added to the application routing database in the edge device via the Orchestrator. This method can be a component of fast learning.

The application-routing database can also be updated by ‘mid-flow’ DPI detection data as a result of slow learning methods on the edge device. In addition to this, the fast learning data and slow learning updates from different enterprises can be anonymized and/or aggregated at the Orchestrator. It can be sent down to all the edge device(s) under the management of the Orchestrator. These updates can be part of the crowd-sourced learning methods.

An example application-routing database recovery method is now provided. When an edge device first communicates with the Orchestrator, it can receive the data for pre-population of the application-routing database. This information can include any updates. Updates from slow learning and/or crowd-sourced learning can be synchronized to shared memory areas in the edge device. The updates can be recovered from service outages.

FIG. 6 illustrates an example process 600 of an application-aware routing, according to some embodiments. In step 602, the layer 3 (L3) and/or layer 4 (L4) information is extracted and matched against the application routing database (e.g. database in FIG. 6). In step 604, if this flow does not find a match in the database, then process 600 moves to step 608. If ‘yes’, then process 600 moves to step 606. In step 606, the matched application is used to look-up and apply the application specific routing policies. In step 608, on failure to find a match in the database, the flow is passed over to the DPI engine. The classification from the DPI engine is used to populate the database for future flows. The current flow may obtain some default routing policies as well. In this way, when the same application flow is encountered again, it can find a successful match in database. The application specific routing policy can then be applied for that application flow. A worst-case guarantee of application routing from the second flow can be provided in some examples. It is noted that in the seven-layer OSI model of computer networking, the network layer is L3 and the transport layer is L4.

FIG. 7 illustrates another example process 700 of an application-aware routing, according to some embodiments. For example, in an alternative step 608, the L3, L4 information can be communicated to an application routing lookup service (e.g. can be a local service synchronized with an aggregated crowd source updated remote service running in the Orchestrator like DNS). In one embodiment, an application-routing database can reside in the Orchestrator. At set intervals (e.g. every thirty (30) seconds, etc.) the edge-device can request the current state of the application-routing database from the Orchestrator and update the local application routing database. Optionally, the cached entries can be expired using a TT (Time-to-Live) value.

In step 702, at a specified period, process 700 can request the current state of the application-routing database from the orchestrator and update the local application routing database. In step 704, L3, L4 information is extracted from a packet and a query is made to the local application routing database to identify application name. In step 706, it can be determined whether step 704 successful? If ‘no’, then process 700 use a default routing policy in step 708. If ‘yes’, then the application name that was matched is used to make a routing decision in step 710. In step 712, process 700 can continue to test the flow with the DPI engine for the veracity of the application type. In case of a mismatch send a message to the orchestrator informing the mismatch. the orchestrator then decides whether to change the corresponding entry based similar updates from other crowd-sourced participants. In step 714, the flow is passed over to the dpi engine and the classification from the dpi engine is used to populate the local application routing cache and send a message to the orchestrator to add an entry.

FIG. 8 illustrates application-aware routing with crowdsourcing according to some embodiments. In step 802, process 800 can use DPI to identify a network flow. In step 804, process 800 store internet protocol (IP) identity and port number of the network flow. In step 806, process 800 report learned IP identity and port number to an applicable Orchestrator. In step 808, process 800 another edge requests the updated IP identity and port number and receives it. In step 810, process 800 the IP identity and port number is received on the other edge and matches the application routing database now even though it has never seen that packet locally or implemented DPI.

Additional Exemplary Computer Architecture and Systems

FIG. 9 depicts an exemplary computing system 900 that can be configured to perform any one of the processes provided herein. In this context, computing system 900 may include, for example, a processor, memory, storage, and I/O devices (e.g., monitor, keyboard, disk drive, Internet connection, etc.). However, computing system 900 may include circuitry or other specialized hardware for carrying out some or all aspects of the processes. In some operational settings, computing system 900 may be configured as a system that includes one or more units, each of which is configured to carry out some aspects of the processes either in software, hardware, or some combination thereof.

FIG. 9 depicts computing system 900 with a number of components that may be used to perform any of the processes described herein. The main system 902 includes a motherboard 904 having an I/O section 906, one or more central processing units (CPU) 908, and a memory section 910, which may have a flash memory card 912 related to it. The I/O section 906 can be connected to a display 914, a keyboard and/or other user input (not shown), a disk storage unit 916, and a media drive unit 918. The media drive unit 918 can read/write a computer-readable medium 920, which can contain programs 922 and/or data. Computing system 900 can include a web browser. Moreover, it is noted that computing system 900 can be configured to include additional systems in order to fulfill various functionalities. Computing system 900 can communicate with other computing devices based on various computer communication protocols such a Wi-Fi, Bluetooth® (and/or other standards for exchanging data over short distances includes those using short-wavelength radio transmissions), USB, Ethernet, cellular, an ultrasonic local area communication protocol, etc.

CONCLUSION

Although the present embodiments have been described with reference to specific example embodiments, various modifications and changes can be made to these embodiments without departing from the broader spirit and scope of the various embodiments. For example, the various devices, modules, etc. described herein can be enabled and operated using hardware circuitry, firmware, software or any combination of hardware, firmware, and software (e.g., embodied in a machine-readable medium).

In addition, it can be appreciated that the various operations, processes, and methods disclosed herein can be embodied in a machine-readable medium and/or a machine accessible medium compatible with a data processing system (e.g., a computer system), and can be performed in any order (e.g., including using means for achieving the various operations). Accordingly, the specification and drawings are to be regarded in an illustrative rather than a restrictive sense. In some embodiments, the machine-readable medium can be a non-transitory form of machine-readable medium. 

What is claimed:
 1. A method for implementing a virtual private network (VPN) for an enterprise, the method comprising: deploying a gateway in at least one public cloud to connect a plurality of premises of an enterprise; at each of at least two premises of the enterprise, deploying an edge device that automatically connects to the gateway to establish the VPN for the enterprise; from each deployed edge device, providing to the gateway a set of local subnets of the edge device that is reachable over the VPN; and from the gateway, distributing to each particular deployed edge device each set of local subnets provided by each other deployed edge device for the particular deployed edge device to use to forward packets to each other deployed edge device.
 2. The method of claim 1 further comprising before the VPN is established between the gateway and each deployed edge device, negotiating a secure connection link between the gateway and each deployed edge device in preparation for transmission of secure traffic between the gateway and edge device once the VPN is established.
 3. The method of claim 2 further comprising establishing a VPN between the gateway and a particular edge device after the particular edge device receives a message from an orchestrator that the VPN should be established.
 4. The method of claim 2 further comprising at each edge device, establishing an unsecure tunnel with the gateway before negotiating the secure connection link between the edge device and the gateway, said establishing comprising sending, as part of a handshake message exchange, information needed to identify the edge device and a logical identifier for the enterprise.
 5. The method of claim 4, wherein as part of the handshake message exchange between the gateway and the edge device, the edge device provides to the gateway the set of local subnets of the edge device.
 6. The method of claim 4, wherein the edge device automatically contacts the gateway and provides data as part of the handshake message exchange because each individual gateway is a self-contained autonomous entity that can be configured through the edge devices rather than being configured by an external orchestrator.
 7. The method of claim 4 further comprising creating, at the gateway, a new virtual routing and forwarding (VRF) table for the enterprise after being contacted by an initial edge device of the entity.
 8. The method of claim 7 further comprising inserting, at the gateway, each edge devices set of reachable local subnets in the VRF table of the edge device's enterprise.
 9. The method of claim 1, wherein providing the set of local subnets comprises: receiving, at each deployed particular edge device, a message from an orchestrator that the VPN has been enabled; after receiving the message, sending the gateway a message to indicate that the set of local subnets of the particular edge device are reachable over the VPN.
 10. The method of claim 2, wherein providing the set of local subnets further comprises in preparation for establishing the VPN, providing the set of local subnets before receiving the message from the orchestrator that the VPN has been enabled.
 11. The method of claim 1 further comprising implementing a routing protocol between each edge device and the gateway.
 12. The method of claim 11, wherein the routing protocol relays state information of each particular edge device that connects to the gateway to each other edge device that connects to the gateway and thus is one hop away.
 13. The method of claim 12 further comprising: defining a virtual routing and forwarding (VRF) table for the enterprise; and identifying in the VRF table each edge device that is one hop away from a particular edge device.
 14. The method of claim 12, wherein the state information includes the local subnets reachable over the VPN.
 15. A non-transitory machine readable medium storing a program implementing a virtual private network (VPN) for an enterprise, the program for execution by at least one processing unit, the program comprising sets of instructions for: configuring a gateway in at least one public cloud to connect a plurality of premises of an enterprise; configuring, at each of at least two premises of the enterprise, an edge device that automatically connects to the gateway to establish the VPN for the enterprise; configuring each deployed edge device to provide to the gateway a set of local subnets of the edge device that is reachable over the VPN; and configuring the gateway to distribute to each particular deployed edge device each set of local subnets provided by each other deployed edge device for the particular deployed edge device to use to forward packets to each other deployed edge device.
 16. The non-transitory machine readable medium of claim 15, wherein the program further comprises a set of instructions for configuring each deployed edge device to negotiate a secure connection link with the gateway before the VPN is established between the gateway and the edge device, in order to establish transmission of secure traffic between the gateway and edge device.
 17. The non-transitory machine readable medium of claim 16, wherein the program further comprising sets of instructions for configuring each edge device to establish an unsecure tunnel with the gateway before negotiating the secure connection link between the edge device and the gateway, by sending, as part of a handshake message exchange, information needed to identify the edge device and a logical identifier for the enterprise.
 18. The non-transitory machine readable medium of claim 17, wherein as part of the handshake message exchange between the gateway and the edge device, the edge device provides to the gateway the set of local subnets of the edge device.
 19. The non-transitory machine readable medium of claim 17, wherein the edge device automatically contacts the gateway and provides data as part of the handshake message exchange because each individual gateway is a self-contained autonomous entity that can be configured through the edge devices rather than being configured by an external orchestrator.
 20. The non-transitory machine readable medium of claim 17, wherein the program further comprises a set of instructions for creating, at the gateway, a new virtual routing and forwarding (VRF) table for the enterprise after being contacted by an initial edge device of the entity.
 21. The non-transitory machine readable medium of claim 20, wherein the program further comprises a set of instructions for configuring the gateway to insert each edge devices set of reachable local subnets in the VRF table of the edge device's enterprise.
 22. The non-transitory machine readable medium of claim 15, wherein each deployed particular edge device receives a message from an orchestrator that the VPN has been enabled, and after receiving the message, sends the gateway a message to indicate that the set of local subnets of the particular edge device are reachable over the VPN. 